Skip to main content

Infrastructure · Access Control & Biometrics · UAE

Access Control & Biometrics

A vendor-neutral UAE-focused buyer's guide for physical access control, readers, controllers, credentials, biometrics, software platforms and visitor management. Honest comparisons across HID, Lenel S2 (Carrier), Honeywell, Gallagher, Suprema, ZKTeco, Matrix, Genetec Synergis and modern cloud entrants like Avigilon Alta and Verkada Access, with Civil Defence / SIRA alignment.

Biometric, RFID, face recognition, fingerprint, smart-card and mobile credentials. Time and attendance, visitor management. ZKTeco, Suprema, Hikvision, Honeywell, HID, Matrix, Lenel, Idemia, Avigilon Alta (Openpath), Verkada, Brivo, Genea, Kisi, Salto, dormakaba. Civil Defence egress, SIRA-licensed installation, sector-regulator alignment (CBUAE, DHA, RTA, NESA, TDRA), HR / AD / Azure AD / Okta integration.

Read the Buyer's GuideBack to Infrastructure

The Buyer's Guide

Eight questions before any contractor RFP

Most failed access control deployments in UAE failed at this stage, the customer told a contractor 'we want some card readers' and got a quote against the wrong architecture, with credentials that don't integrate with HR, no Civil Defence-compliant egress design, and no path to mobile / biometric.

StepQuestionNail downWhy it matters
1What is access control for?Building entrance, internal zoning, sensitive labs / server rooms, time-and-attendance, parking, visitor management, multi-tenant access, OT / industrialEach purpose drives different reader type, credential, software depth and integration. Time-and-attendance with biometric clock-in is a different product from server-room dual-credential access.
2How many doors and sites?Total controlled doors, turnstiles, parking barriers, lift access points, sites, integration scopeScale drives architecture, small standalone controllers vs enterprise platform vs cloud. SMB < 20 doors and enterprise > 500 doors are different conversations.
3How many cardholders, plus visitor volume?Permanent staff cardholders, temporary contractors, daily visitor countCardholder + visitor scale drives credential strategy (cards / mobile / biometric), enrolment workflow and visitor management platform choice.
4What credential type(s)?Proximity cards (legacy), MIFARE / DESFire smart cards, mobile credentials (NFC / BLE), Apple / Google Wallet, biometrics (fingerprint / face / palm / iris), Emirates ID integrationCredential choice has 7-10 year consequences. Specifying low-frequency 125 kHz prox in 2026 locks you into legacy technology with known cloning vulnerability.
5Civil Defence egress & fire integration?Free-egress hardware (push bars / breakglass / RTE), fire alarm release, magnetic lock fail-safe vs strike fail-secureUAE Civil Defence (DCD / ADCD / SCD) mandates specific egress & fire-release behaviour. Non-compliance prevents occupancy sign-off.
6HR / IDM / AD integration?Joiners-movers-leavers automation, HR system as source-of-truth, multi-factor with corporate ADWithout HR integration, leavers retain access for weeks; without AD integration, multi-factor is impossible. Both are foundational for any modern enterprise.
7Integration with CCTV / intrusion / fire / SOC?Door-forced events popping the relevant CCTV feed, intrusion arm/disarm by access events, SIEM integrationUnified physical security, VMS + access + intrusion + fire, is materially better than four siloed systems. Genetec Security Center, Lenel OnGuard / S2 NetBox, Avigilon Alta and Honeywell Pro-Watch all support this.
8Compliance & data residency?Cardholder PII / biometric template residency, GDPR-equivalent retention, SIRA documentation, sector-specific regulator (DHA / CBUAE / NESA)Biometric templates carry stricter residency and consent requirements than card numbers. UAE customers in regulated verticals must keep cardholder + biometric data in-country, with audit trail.

Checklist

Technical fit

  • Reader credential support (13.56 MHz MIFARE / DESFire EV2/3, mobile, biometric)
  • OSDP v2 reader-to-controller (replaces Wiegand)
  • Controller capacity (doors per controller, redundancy)
  • Open / proprietary architecture (HID, Mercury / LP, vendor-locked)
  • Door hardware (mag-lock / strike / electric mortice)
  • Free-egress hardware (RTE / push bar / breakglass)
  • Failover modes (fail-safe vs fail-secure per door)
  • Anti-passback, mantrap, dual-credential

Checklist

Operational fit

  • Single management software / cloud console
  • HR / AD / Azure AD / Okta integration (SCIM)
  • Cardholder lifecycle & bulk operations
  • Mobile credential lifecycle & revocation
  • Visitor management integration
  • Reports / audit trail / forensic search
  • Health monitoring of controllers / readers
  • API maturity for ITSM / SIEM / HR sync

Checklist

Commercial fit

  • Per-door / per-reader / per-cardholder licensing
  • Card cost (MIFARE DESFire vs prox vs mobile)
  • Mobile credential pricing (per user / monthly)
  • Software-assurance / Care contract
  • Cloud subscription vs perpetual on-prem
  • 5-year TCO (hardware + software + credentials)
  • Refresh cycle (8-12 yr typical for controllers)

Checklist

Regulatory & service fit

  • UAE Civil Defence egress compliance
  • SIRA / ADP / sector approval where applicable
  • Emirates ID integration (where required)
  • UAE certified installer / SI
  • 4-hr onsite SLA
  • Spare reader / controller stock in-country
  • UAE-region cloud (where cloud-managed)
  • Biometric data residency

UAE Regulatory Landscape

Civil Defence, SIRA, Emirates ID

Access control in UAE is governed by overlapping regulations, Civil Defence for egress / fire safety (mandatory for occupancy), SIRA / ADP for security premises, sector regulators for healthcare / banking, and Emirates ID for certain identity-aware integrations. Non-compliance is an occupancy issue, not just a security one.

Authority / frameworkCoverageKey requirements
UAE Civil Defence (DCD Dubai / ADCD Abu Dhabi / SCD Sharjah / others)All occupied premisesFree-egress hardware on all egress routes (push bar, breakglass, RTE), fail-safe magnetic locks released by fire alarm, fire-rated controllers / cabling, certified installer for fire-integrated access components, occupancy sign-off conditional on compliance
SIRA, Security Industry Regulatory Agency (Dubai)Security-sensitive premisesApproved access control vendor lists for specific premises types, SIRA-licensed installation companies, sometimes integration with central monitoring
Abu Dhabi Police / MCC, other Emirates PoliceEquivalent to SIRA in respective EmiratesApproved-vendor lists, certified installers, sector-specific integration mandates
ICP, Federal Authority for Identity (Emirates ID)Emirates ID-integrated access (some government, airports, ports)Emirates ID NFC / contact reader requirements, ICP-approved integration paths, biometric template handling rules
DHA / SEHA / ADHAHealthcare facilitiesPatient-area access rules, narcotics-cabinet dual-control, audit trail for sensitive zones, hand-hygiene station integration
CBUAEBanks, ATM lobbies, cash-handling roomsDual-credential / mantrap requirements for vault & cash-handling areas, audit retention, integration with intrusion alarm
NESA / TDRACyber / data residencyCardholder data & biometric templates residency, encryption, cyber-aligned firmware patching
RTA (Roads & Transport, Dubai)Parking, depot, transit facilitiesANPR-integrated access, RTA-specific requirements for taxi / bus depots

Practical implications for buyers

  • Civil Defence egress is non-negotiable. Every egress door must have free-egress hardware. Magnetic locks must fail-safe (release on power loss / fire alarm). Strike locks may fail-secure or fail-safe depending on door function. Get this wrong and the building doesn't get occupancy sign-off.
  • Fire alarm integration is hard-required, magnetic locks on egress paths must release on fire alarm. Wire this carefully and certify it on commissioning.
  • SIRA approval (where applicable) follows the same model as CCTV, verify approval at SKU level and use SIRA-licensed installer.
  • Biometric data residency: templates are PII under most regulators. UAE-region cloud or on-prem storage; encrypted at rest; documented retention and consent. Confirm at design.
  • Emirates ID integration is permitted for specific licensed use cases (some government, airport, port, banking), not for general commercial access. Don't quote Emirates ID as a general credential.

Architecture Decision

On-prem vs cloud-managed access control

The architectural decision sets the trajectory for the next 8-12 years. UAE has a mature on-prem access control market; cloud-managed access control is growing rapidly for distributed and SMB customers.

ArchitectureHow it worksStrengthsWeaknessesBest for
Standalone door controllers (no central system)Each door has its own controller; no central database; cardholders enrolled per-doorNo audit trail, no central revocation, JML chaos, no integrationExisting legacy estate maintenance only
Small-scale on-prem (single panel + server)Single panel manages 4-32 doors; software on a local serverSimple, cost-effective for SMB single-siteLimited scale, weak multi-site, vendor-locked panel/softwareSMB single-site < 32 doors
Enterprise on-prem platformCentral server / cluster running enterprise platform (Lenel OnGuard, Lenel S2 NetBox, Honeywell Pro-Watch, Genetec Synergis, Gallagher Command Centre, AMAG Symmetry, Bosch AMS) connecting to distributed Mercury / LP / vendor-specific controllersScale to 10,000s of doors, multi-site federation, deep integration with CCTV / intrusion / fire / HR / AD, compliance audit trail, mature operationallyServer / network capex, requires operational discipline, license costs scale with doors / cardholdersDefault for mid-market through enterprise, banks, government, hospitals, large hospitality / retail estates
Hybrid (on-prem with cloud-management plane)Local controllers + cloud-hosted management UI / cardholder DB / mobile-credential issuanceHybrid combines on-prem reliability with cloud convenienceBandwidth dependency for management; data residency considerationsMulti-site customers wanting cloud admin UX with local door reliability
Cloud-managed access control (ACaaS)Cloud-hosted platform; controllers phone home for policy; mobile-first admin and cardholder UX, Avigilon Alta (formerly Openpath), Verkada Access, Brivo, Genea, Kisi, Salto KS, ButterflyMXNo on-prem servers, modern UX, mobile credentials native, multi-site simple, predictable opex, frequent feature updatesPer-door / per-cardholder subscription, internet dependency for admin (doors keep working offline), cloud residency, less customisation than enterprise on-premMulti-site offices, distributed hospitality / retail, modern offices, SMB through mid-market
OEM cloud (Lenel BlueDiamond / HID Mobile Access / Honeywell Cloud)Vendor's own cloud platform tightly integrated with their controllersSingle-vendor stack, deep platform integrationVendor lock-inCustomers committed to a single major vendor wanting cloud convenience

Practical recommendation in 2026/2027

For most UAE mid-market through enterprise customers, enterprise on-prem platforms (Lenel S2 NetBox / OnGuard, Honeywell Pro-Watch, Genetec Synergis, Gallagher Command Centre) remain the default, particularly for banks, hospitals, government, large hospitality / retail estates and any premises with deep CCTV / intrusion / fire integration needs. For multi-site distributed offices, modern fit-outs and mid-market customers wanting mobile-first UX, cloud-managed access (Avigilon Alta, Verkada Access, Brivo, Genea) is increasingly the better answer. Standalone single-door controllers should be avoided beyond very small SMB.

Component Deep Dive

An access-controlled door is a system of 6-8 components

Skipping or under-spec'ing any one creates a weak link. Below are the practical components and what to specify.

ComponentFunctionSpecification notes
ReaderReads the credential; sends data to controllerSpecify 13.56 MHz MIFARE DESFire EV2/EV3 (or DESFire-EV3 + mobile + biometric multi-tech) for new installs. Always use OSDP v2 reader-to-controller (replaces Wiegand which has known security issues).
Controller / panelCentral decision-maker per door / set of doors; stores access rules; logs eventsMercury Security / LP-class controllers are an industry-open standard supported by Lenel, Honeywell, Genetec, AMAG and many others. Capacity per controller varies (2 / 4 / 8 / 16 doors). Specify redundancy & PoE+ option for cleaner cabling.
Lock hardwarePhysically holds the doorMagnetic lock (fail-safe), releases on power loss or fire alarm; common on egress doors. Electric strike (fail-secure / fail-safe configurable), for door frames that can take a strike; preserves mechanical key access. Electric mortice / drop-bolt, for premium / heavy doors.
Request-to-exit (RTE / RX)Allows free egress without presenting credential, passive IR or push-buttonMandatory on most egress doors per Civil Defence. Always wire to controller for unlatch + alarm-suppression.
Door position switch (DPS)Detects door open / closedRequired for door-forced and door-held-open alarms.
Push bar / panic hardwareMechanical panic egress, overrides electrical lockMandatory on egress doors per Civil Defence. Must integrate with controller for alarm.
Breakglass / emergency releaseEmergency manual override of magnetic lockRequired adjacent to mag-lock egress doors. Once broken, must be replaced.
Door operator (auto-opener)Powered door operation, accessibility, hands-free, infection control (hospitals)Specify ANSI / BHMA-rated, integrate with controller for delayed unlock.
Turnstile / mantrap / portalAnti-tailgate physical barrierSpeed gate / waist-high tripod / full-height turnstile / interlocked mantrap. Choose by traffic volume + security level.
Power supply / UPSBackup power to controllers + locksCentralised cabinet PSU with battery backup (4-12 hours typical); separate fail-safe vs fail-secure circuits.

OSDP v2 vs Wiegand

Specify OSDP v2 (Open Supervised Device Protocol) for any new install, it's bidirectional, encrypted, supervised (detects tampering), and the modern replacement for Wiegand (which is unencrypted, one-way, and has been demonstrated cloneable for years). All major vendors support OSDP v2; the only reason to use Wiegand on a new install is integration with a legacy controller, and that's a sign the controller needs replacing too.

Credential Technologies

What to specify in 2026/2027

Credential choice has 7-10 year consequences. Choose the wrong technology and you're locked into security and operational compromises for the building's life.

CredentialStatus in 2026StrengthsWeaknessesNotes
125 kHz proximity (HID Prox / EM4100 / generic prox)Should not be deployed for new installsTrivially cloneable with sub-AED 200 device, no encryption, well-known security issuesReplace at refresh; never specify for new
MIFARE Classic 1K / 4KAvoid for new installsCryptography (Crypto-1) broken since 2008; cards are practically cloneableReplace at refresh
iCLASS legacy (HID iCLASS standard, not SE / Seos)Aging, replace at refreshSmart card baseline, was widely deployedOlder keysets have known vulnerabilities; superseded by iCLASS SE / SeosMigrate to Seos at refresh
MIFARE DESFire EV2 / EV3Default smart card for new installsAES-128 mutual auth, multi-application, mature, broad reader support across vendors, open standardPer-card cost ~5-8 AED vs basic prox 1-2 AEDIndustry default. Specify EV3 for new builds.
HID Seos (iCLASS Seos)Default smart card for HID-aligned shopsStrong cryptography, mobile-credential-ready, broad ecosystem, future-proofHID-licensed (small fee per credential)HID's modern smart card. Compatible with HID Mobile Access.
Mobile credentials (NFC / BLE on smartphone)Increasingly default for new corporate installsNo physical card to lose / forget, instant issuance / revocation, two-factor with phone biometric, audit trail of issuance, no card-printing operationsPer-user / per-month subscription typical; depends on user's phone OS/version, not all readers support BLEHID Mobile Access, Avigilon Alta Mobile, Verkada Access mobile, Apple Wallet for Access (specific vendors)
Apple Wallet for Access / Google Wallet for AccessEmerging, premium experienceNative iPhone / Apple Watch / Android wallet, best user experience, no third-party app neededCurrently limited to specific certified vendors (HID, Salto, dormakaba, others); per-user feesWatch list, increasingly important for premium fit-outs from 2026 onwards
Biometric (fingerprint / face / palm / iris)Mature for specific applicationsNo credential to lose, can be combined with card / mobile for two-factorPrivacy / consent requirements, template residency, environmental factors (gloves, dust), enrolment overheadSee dedicated biometric section below
Emirates IDSpecific licensed use cases onlyNational ID, eliminates separate card issuancePermitted only for specific licensed integrations (government, airport, port, banking), not for general commercialDon't specify for general commercial access
QR code / one-time PIN (visitor)Suitable for visitorsNo physical credential; ideal for one-time visitor / contractor accessLower security than card / mobile; suitable for visitor only, not employeeStandard with most modern visitor management platforms

Practical recommendation for new credential strategy in 2026/2027

  • Permanent staff: Mobile credential (HID Mobile Access / Avigilon Alta / Verkada Access) as primary, with MIFARE DESFire EV3 or HID Seos card as fallback / for non-smartphone users.
  • Visitors / contractors: QR code / one-time PIN issued via visitor management.
  • High-security zones (server rooms, vaults, sensitive labs): Two-factor, card + biometric, or mobile + PIN.
  • Industrial / harsh environments: Robust card (DESFire) + glove-tolerant reader; avoid fingerprint where gloves are mandatory.
  • Time-and-attendance: Biometric (fingerprint or face) for tamper-resistant clock-in.

Biometrics Deep Dive

Mature for specific applications

Biometric access is mature in UAE, particularly for time-and-attendance, server rooms and hospital narcotics. The right biometric modality depends heavily on environment and user population.

ModalityStrengthsWeaknessesBest forLeading vendors
Fingerprint (optical / capacitive / multispectral)Mature, low-cost, well-understood, multispectral handles wet / dry / dirty fingersFails with gloves / heavy hand contamination, hygiene concerns post-COVIDTime-and-attendance, office staff, server rooms (paired with card)Suprema BioStation, ZKTeco SpeedFace, HID Lumidigm (multispectral), Idemia MorphoWave
Face recognitionTouchless, fast (sub-second), works at distance, no consumablePrivacy / regulator-restricted (UAE: limited to authorised use cases for general commercial), lighting and mask compatibilityOffice staff (in regulator-permitted contexts), time-and-attendanceSuprema FaceStation 2 / F2, Anviz FaceDeep, Hanwha (some integrations), Idemia VisionPass
Palm veinTouchless, very low false-acceptance rate, hygienic, hard to spoofHigher per-reader cost than fingerprintHigh-security (data centers, vaults, narcotics cabinets), hospitalsFujitsu PalmSecure, Hitachi VeinID, M2SYS
Iris recognitionExtremely accurate, contactlessHighest cost, narrower deploymentVery-high-security, government / immigrationIris ID (formerly LG Iris), Idemia, Princeton Identity
Hand geometryTolerant of hand contamination, robustLarger reader, dated technologyIndustrial / construction sites for time-and-attendanceHandPunch (legacy)
Multimodal (face + fingerprint, face + palm)Higher accuracy, fallback if one modality failsHigher cost, more enrolment overheadPremium high-security applicationsSuprema, Idemia, HID

Biometric data handling, practical UAE notes

  • Templates are PII. Biometric templates carry stricter residency, retention and consent requirements than card numbers. Always design for in-country storage with encryption at rest.
  • Consent & transparency. Inform staff/visitors about biometric collection, retention and deletion. Maintain a clear opt-out path (alternate credential, card / mobile).
  • Face recognition for general commercial deployment is regulator-restricted in UAE (similar to CCTV facial recognition). Limit deployment to authorised use cases, typically time-and-attendance with consent, premises with explicit licensed use case, or paired with another credential as a verification factor (not as the sole identifier).
  • Template-level vs image-level storage, modern biometric systems store mathematical templates, not images. Always specify template-only storage, never raw biometric images.
  • Multi-factor for sensitive zones. Don't use biometric alone for very-high-security zones, use card + biometric or mobile + biometric for true two-factor.

Access Control Vendor Comparison

Twenty-two vendors compared, honestly

HID

HID Global (readers + iCLASS Seos + Mobile Access + Mercury LP / EVO controllers + Origo / WorkforceID)

Leader (readers + credentials)

Strengths: Industry-standard reader portfolio (Signo, iCLASS SE / Seos), mobile credential platform (Mobile Access / Origo), broad ecosystem, works with virtually every major access platform, mature OSDP support, broad UAE channel

Weaknesses: HID Global is primarily readers + credentials, needs a software platform partner (Lenel / Honeywell / Genetec / AMAG / others)

Best for: Across the industry, most enterprise customers use HID readers + credentials with their preferred software platform

Top pick, readers, credentials, mobile access

Lenel S2

Lenel S2 (Carrier), OnGuard, NetBox

Leader (enterprise platform)

Strengths: Industry-leading enterprise platform, OnGuard for very-large multi-site, NetBox for browser-based mid-enterprise, deep integration ecosystem (CCTV, intrusion, fire), Mercury controller support, mature in banks / government / healthcare globally

Weaknesses: Premium pricing; requires skilled integrator

Best for: Banks, government, large hospitals, multi-site enterprise

Top pick, premium enterprise platform

Honeywell

Honeywell Pro-Watch / WIN-PAK

Leader

Strengths: Mature platform, deep integration with Honeywell intrusion / fire / building management; strong vertical presence in commercial real estate, hospitality, manufacturing

Weaknesses: Premium pricing; UAE channel via select integrators

Best for: Honeywell-aligned customers, integrated security buyers

Strong choice for Honeywell-aligned shops

Gallagher

Gallagher Command Centre + Controller 6000

Leader (premium / regulated)

Strengths: Industry-leading for regulated / government / mining / utility / critical infrastructure, very strong intrusion + perimeter integration, mature multi-site federation

Weaknesses: Premium pricing; smaller channel than HID / Lenel in commercial

Best for: Government, utility, mining, critical infrastructure, premium regulated

Strong choice for regulated / critical infrastructure

Genetec

Genetec Synergis (with Security Center)

Leader (unified)

Strengths: Tight integration with Omnicast (VMS) + AutoVu (ANPR) + Mission Control, single platform across VMS / access / ANPR / intrusion, Mercury controller support, multi-vendor reader support

Weaknesses: Best fit when Genetec is the unified platform; smaller stand-alone access market share

Best for: Airports, government, large public-sector wanting unified VMS + access

Top pick when unified VMS + access is the goal

AMAG

AMAG Symmetry

Established Leader

Strengths: Mature enterprise platform, government heritage (US / UK), deep credential workflow, integrates with HID readers + Mercury controllers

Weaknesses: Smaller UAE installed base than Lenel / Honeywell

Best for: Government, large enterprise wanting alternative to Lenel / Honeywell

Established alternative

Bosch

Bosch AMS / BIS

Leader (Bosch-aligned)

Strengths: Tight integration with Bosch fire / intrusion / CCTV (BVMS), German engineering quality, strong in industrial / critical infrastructure

Weaknesses: Best fit when Bosch is across the security stack; smaller standalone access market

Best for: Bosch-aligned shops, industrial / critical infrastructure

Strong choice for Bosch-aligned

C·CURE

Software House (Tyco / Johnson Controls) C·CURE 9000

Established enterprise

Strengths: Very mature, broad integration ecosystem, Tyco / JCI heritage, large estate references

Weaknesses: Premium pricing; UAE channel concentrated

Best for: JCI / Tyco-aligned customers, large enterprise

Reasonable enterprise alternative

Avigilon Alta

Avigilon Alta (formerly Openpath), Motorola Solutions

Cloud Leader

Strengths: Modern cloud-managed access, strong mobile credential, simple deployment, integrates with Avigilon Alta video, NDAA-compliant; growing UAE partner network

Weaknesses: Cloud-only model; per-door subscription

Best for: Modern offices, distributed multi-site, customers wanting cloud + mobile-first UX

Top pick, cloud-managed access

Verkada

Verkada Access

Cloud Leader

Strengths: Single-vendor cloud access + video + intrusion, simple admin, NDAA-compliant, strong AI search across video + access events

Weaknesses: Locked to Verkada hardware; subscription-only

Best for: Customers wanting single-vendor cloud-managed VMS + access

Strong choice when single-vendor cloud-managed is the goal

Brivo

Brivo

Cloud Leader (longest-running)

Strengths: Mature cloud platform (since 2002), broad reader compatibility, integrates with multiple VMS, strong API

Weaknesses: UAE channel less broad than Avigilon Alta / Verkada

Best for: Multi-site real-estate operators, customers wanting mature cloud

Solid cloud alternative

Genea

Genea

Cloud Challenger (Mercury-based)

Strengths: Cloud platform on top of Mercury controllers, preserves enterprise hardware while delivering cloud UX

Weaknesses: Smaller market share, narrower UAE presence

Best for: Mercury-controller customers wanting cloud admin

Niche but interesting cloud option

Kisi

Kisi

Cloud Challenger (SMB / mid-market)

Strengths: Modern UX, mobile-credential native, simple SMB pricing

Weaknesses: SMB / mid-market focus; less suited to large enterprise

Best for: SMB modern offices, co-working, distributed startups

Strong for SMB / co-working

Salto

Salto Systems (XS4 + KS Cloud)

Leader (smart locks + access)

Strengths: Industry-leading wireless smart locks (XS4 platform), KS / Salto Space cloud and on-prem options, very strong in hospitality

Weaknesses: Best fit when smart locks are the architecture; less suited to traditional wired-controller estates

Best for: Hotels, hospitality, multi-tenant offices, retrofit where wiring is expensive

Top pick for wireless smart locks / hospitality

dormakaba

dormakaba

Established (locks + hospitality)

Strengths: Very strong in hotel locks, integrates with PMS, broad mechanical + electronic portfolio

Weaknesses: Best fit for hospitality / hotel locks

Best for: Hotel chains, hospitality

Strong hospitality alternative to Salto

ASSA ABLOY

ASSA ABLOY (Aperio wireless, Yale, HID)

Established (largest lock parent group)

Strengths: Aperio wireless integration with most enterprise platforms (Lenel, Honeywell, Genetec), Yale residential, parent of HID

Weaknesses: Vast portfolio, pick the right product line for the application

Best for: Wireless lock retrofit, multi-vendor compatibility

Strong choice for wireless extensions to wired estates

Suprema

Suprema (BioStation, FaceStation, BioMini)

Leader (Biometric)

Strengths: Industry-leading biometric readers, fingerprint, face, multimodal, with BioStar 2 platform; strong UAE channel; integrates with most enterprise access platforms

Weaknesses: Best for biometric-led applications; non-biometric features less differentiated

Best for: Time-and-attendance, sensitive zones, biometric-led access

Top pick, biometric readers

ZKTeco

ZKTeco

Mass-market Leader (with caveats)

Strengths: Broadest portfolio at most aggressive pricing, fingerprint, face, palm, hybrid; controllers; full software stack; very broad UAE distribution

Weaknesses: Same country-of-origin scrutiny as Hikvision / Dahua for buyers with NDAA / Western procurement constraints; firmware cybersecurity less mature than premium tier

Best for: UAE commercial / SMB / time-and-attendance / cost-led where Western-procurement compliance is not required

Cost-effective for non-restricted UAE commercial; NOT recommended where NDAA / Western procurement constraints apply

Anviz

Anviz

Mass-market Challenger

Strengths: Cost-competitive biometric and access readers

Weaknesses: Same procurement caution as ZKTeco

Best for: SMB cost-led time-and-attendance

Reasonable cost-led alternative to ZKTeco

Matrix

Matrix Comsec

Challenger (Indian SMB / mid-market)

Strengths: Time-and-attendance + access combined platform, cost-effective, strong in Indian-aligned UAE customer base

Weaknesses: Smaller market share than ZKTeco / Suprema in UAE

Best for: SMB / mid-market time-and-attendance, Indian-business-aligned

Reasonable SMB choice for time-and-attendance

Idemia

Idemia (formerly Morpho / Safran)

Premium Biometric (gov / immigration heritage)

Strengths: Premium-tier biometric with government / immigration heritage, MorphoWave touchless fingerprint, VisionPass face

Weaknesses: Premium pricing; smaller commercial channel

Best for: Government, airports, premium high-security applications

Top pick for premium / government biometric

Vanderbilt

Vanderbilt Industries (former Siemens HQ Series)

Established

Strengths: Solid mid-market platform, strong intrusion integration, European heritage

Weaknesses: Smaller UAE market share

Best for: European-aligned mid-market

Niche option

Who wins for access control in UAE?

  • Premium enterprise platform, banks / government / large hospitals / multi-site enterprise: Lenel S2 (or Honeywell Pro-Watch / Genetec Synergis as strong alternatives), with HID readers and credentials
  • Cloud-managed modern offices / distributed multi-site: Avigilon Alta, with Verkada Access or Brivo as alternatives
  • Hospitality / hotels: Salto KS / Salto Space, with dormakaba as alternative
  • Government / regulated / critical infrastructure: Gallagher Command Centre or Lenel OnGuard with HID + Idemia biometric
  • Biometric / time-and-attendance: Suprema for premium / NDAA-compliant; ZKTeco for cost-led commercial (with country-of-origin caveat)
  • SMB / co-working modern office: Kisi or Avigilon Alta SMB
  • Mercury-controller customers wanting cloud admin: Genea
  • Bosch-aligned shops / industrial: Bosch AMS / BIS

Support, Price & Availability

Side-by-side: UAE market reality

* Availability depends on stock-model SKUs versus specifically-configured controllers / readers / lock hardware. Custom configurations may take longer ETA depending on supply chain. Artiflex normally suggests proceeding with stock-SKU configurations wherever possible.

CriterionHIDLenel S2HoneywellGallagherAvigilon AltaVerkadaSupremaZKTeco
UAE local presenceDirect + extensiveDirect + selectiveDirect + selectiveSelectiveDirect + growingDirect + growingDirect + extensiveDistributor + extensive
Civil Defence / SIRA-approved typical models★★★★★★★★★★★★★★★★★★★☆★★★★☆★★★☆☆★★★★★★★★★☆
4-hour onsite (24×7)★★★★★★★★★☆★★★★☆★★★☆☆★★★☆☆★★★☆☆★★★★☆★★★★★
List price competitiveness (per door)★★★☆☆ Premium readers★★☆☆☆ Premium★★☆☆☆ Premium★★☆☆☆ Premium★★★☆☆ Subscription★★★☆☆ Subscription★★★★☆★★★★★ Best value
UAE engineering / installer bench★★★★★★★★★☆★★★★☆★★★☆☆★★★★☆★★★☆☆★★★★☆★★★★★
NDAA / Western procurement compliant★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★☆☆☆☆ Restricted
Mobile credential maturity★★★★★ HID Mobile / Origo / Apple Wallet★★★★☆ via HID★★★★☆ via HID★★★★☆★★★★★ Native★★★★★ Native★★★☆☆★★★☆☆

Visitor Management

The paper visitor book, replaced

Modern visitor management has replaced the paper visitor book in most UAE corporate buildings. Done well, it integrates with access control to issue temporary credentials, captures Emirates ID / passport scans, screens against deny-lists, and provides full audit trail.

Vendor / platformPositionStrengthsBest for
EnvoyLeader (cloud)Modern UX, mobile-first, deep integrations with M365 / Slack, ID-scan, deny-list, NDA on entry, badge printingModern offices, mid-market through enterprise
iLobbyLeader (enterprise)Enterprise-grade, audit-trail focused, deep access control integration (Lenel, Genetec), watchlistBanks, government, regulated enterprise
Proxyclick / Eptura VisitorLeader (mid-market)Mature platform, strong M365 integration, sustainability metricsMid-market through enterprise
SineMid-marketWorkplace + visitor combined, strong in Australian / UK customer baseMid-market
Lenel OnGuard / S2 Visitor / Honeywell Pro-Watch Visitor / Genetec VisitorNative to access platformTightly integrated with access control, single audit trailCustomers using these platforms, single-vendor preference
SoloInsight CloudGateEnterprise visitor + workplaceTouchless visitor + workplace integration; growing UAE presenceEnterprise hybrid-work focused
Verkada GuestNative to Verkada AccessVisitor management as part of Verkada single-platformVerkada-aligned customers
Avigilon Alta VisitorNative to Avigilon AltaCloud visitor + access in single platformAvigilon Alta-aligned customers

Integration with CCTV, Intrusion, Fire & HR

Most valuable when it talks to other systems

Modern access control is most valuable when it talks to the other security systems and HR. Below are the integration patterns we deploy most often for UAE customers.

IntegrationWhyHow
Access ↔ CCTVDoor-forced or invalid-credential events automatically pop the relevant CCTV feed for the SOCGenetec Security Center, Lenel + Milestone, Avigilon Unity / Alta, Verkada Command, native unified or via vendor-supported integration
Access ↔ IntrusionArming / disarming intrusion alarm based on access events; first-in disarm, last-out armNative in unified platforms (Genetec, Lenel, Bosch); or via DSC / Bosch / Honeywell intrusion bridge
Access ↔ Fire alarmMandatory: magnetic locks on egress paths must release on fire alarmHard-wired interlock, fire-rated cabling; certify on commissioning per Civil Defence
Access ↔ HR / IDM (joiners-movers-leavers)Automatic provisioning / de-provisioning of cardholders based on HR systemSCIM / API integration with SAP SuccessFactors, Workday, Oracle HCM, Microsoft Dynamics, BambooHR; or via IDM (Okta, Microsoft Entra) as broker
Access ↔ AD / Azure AD / OktaSingle sign-on for admin console, multi-factor for sensitive zonesSAML / OAuth, supported by all enterprise platforms and most cloud platforms
Access ↔ Visitor managementVisitor pre-registration with temporary credential issuanceNative or via Envoy / iLobby / Proxyclick API
Access ↔ Building management (BMS)HVAC / lighting based on occupancy; lift-call after access verificationBACnet / Modbus integration; KNX in some premium fit-outs
Access ↔ Time-and-attendanceSingle first-swipe / last-swipe drives attendance reportingNative time-and-attendance in Suprema / ZKTeco / Matrix; or export to dedicated T&A (Workday Time, Kronos)
Access ↔ SIEM / SOCPhysical events feed cyber-physical correlation in SIEMSyslog / API / Splunk / Sentinel integration; supported by all enterprise platforms

Access Control Licensing Comparison

Per-door, per-reader, per-cardholder, per-cloud

Access control licensing varies dramatically by vendor, per-door, per-reader, per-cardholder, per-server, per-cloud-subscription. The 5-year TCO depends as much on licensing as on hardware.

* Licensing as per vendor positioning in 2026 Q2; SKUs and pricing models may evolve. Validate at quote time.

Vendor / SKULicensing modelIndicative priceWhat's includedWhat requires extraBest for
Lenel S2 NetBox / OnGuardPer-server + per-door perpetual + Care subscriptionServer + ~700 - 1,400 / door perpetual; Care 12-18% / yrPlatform, controllers via Mercury, integration frameworkSpecific add-ons (visitor, advanced reporting, biometric integration)Premium enterprise
Honeywell Pro-Watch / WIN-PAKPer-server + per-door perpetual + Software AssuranceQuote-only; comparable to LenelPlatform, integrationsVisitor, advanced reporting, intrusion bridgeHoneywell-aligned
Genetec Synergis (with Security Center)Per-door perpetual + Genetec Advantage subscriptionQuote-only; premium tierPlatform, federation, full Security Center unified suite available as bundleCloud, advanced add-onsUnified video + access
Gallagher Command Centre + Controller 6000Per-door perpetual + Maintenance & SupportQuote-only; premium tierFull Command Centre, intrusion + perimeter integrationGovernment / critical infrastructure
AMAG SymmetryPer-door perpetual + maintenanceQuote-onlyPlatform, broad integrationVisitor, advanced reportingGovernment / large enterprise alternative
Avigilon Alta (Openpath) CloudPer-door per-month subscription~110 - 220 / door / monthCloud platform, mobile credentials included, integration with Alta VideoHigher-tier features, premium supportCloud-managed
Verkada AccessPer-door per-year subscription, multi-year terms; controllers sold separatelyHardware ~3,500 - 11,000 / door + ~700 - 1,800 / door / yearCloud platform, mobile credentials, full featuresHigher-retention / advanced AISingle-vendor cloud
BrivoPer-door per-month~95 - 180 / door / monthCloud platform, mobile credentials, broad reader compatibilityPremium features, enterprise federationReal-estate operators
GeneaPer-door per-month~110 - 165 / door / monthCloud admin on top of Mercury controllersMercury-controller cloud
KisiPer-door per-month + per-user mobile credential~75 - 130 / door / month + per-user feesCloud platform, mobile credentialsHigher-tier featuresSMB / co-working
Salto KS / SpacePer-lock perpetual + KS cloud subscriptionHardware ~2,200 - 5,500 / lock + KS subscriptionSmart-lock platform with cloud optionHospitality / wireless retrofit
HID Mobile Access (mobile credentials)Per-user per-year subscription (separate from access platform)~30 - 65 / user / yearMobile credential issuance on Origo / WorkforceIDAdd-on to any HID-supporting platform
Suprema BioStar 2Hardware perpetual; software free with hardware (basic) or licensed Pro/CloudReaders ~2,500 - 8,500 + software tiersBiometric platform, basic accessPro features, cloud subscription, integration to Lenel / Honeywell etc.Biometric-led / T&A
ZKTecoHardware perpetual; software (ZKBio) typically free with hardwareReaders ~700 - 3,500Hardware + basic softwarePremium ZKBio modules, cloudUAE commercial cost-led
Matrix ComsecHardware perpetual + software AMCHardware ~1,500 - 5,500 / doorTime-and-attendance + access combinedHigher-tier featuresSMB T&A

Access control licensing decision shortcut

  • Premium enterprise on-prem: Lenel S2 OnGuard / NetBox + HID readers + Mercury controllers
  • Honeywell-aligned enterprise: Honeywell Pro-Watch + HID readers
  • Unified VMS + access: Genetec Security Center (Synergis + Omnicast)
  • Government / critical infrastructure: Gallagher Command Centre
  • Cloud-managed multi-site: Avigilon Alta or Verkada Access or Brivo
  • Hospitality / wireless smart locks: Salto KS / Space or dormakaba
  • Biometric / T&A: Suprema for NDAA-compliant; ZKTeco / Matrix for cost-led
  • SMB / co-working: Kisi or Avigilon Alta SMB

Reality Check

What's rarely used in UAE access control (and why)

TechnologyStatusWhy it's rarely usedWhere it still fits
125 kHz proximity cards (HID Prox / EM4100)Should be retiredTrivially cloneable, no encryption, known security issues for over a decadeReplace at refresh; never specify for new
MIFARE Classic 1K / 4KShould be retiredCrypto-1 broken since 2008Replace at refresh
Wiegand reader-to-controller wiringShould be replacedUnencrypted, one-way, vulnerable to 'ESPKey' sniffing, modern best-practice is OSDP v2Replace at refresh; specify OSDP v2 for new
Standalone single-door controllers (no central system)NicheNo audit trail, no central revocation, joiners-movers-leavers chaosExisting legacy estate maintenance only; never specify for new beyond very small SMB
'All doors mag-lock' designWrongMany doors should be electric strike (preserves mechanical key access, allows free egress without lock release); mag-lock everywhere creates Civil Defence egress complexityEgress doors specifically; not universal
Skipping the request-to-exit (RTE)Civil Defence non-complianceEgress doors must allow free egress without credential; missing RTE creates trapped occupants on power lossNowhere, always specify RTE on egress
Self-installation / unlicensed contractorCivil Defence / SIRA non-complianceVoids approvals, can prevent occupancy sign-offNowhere, always use licensed installer
Biometric as sole credential for high-security zonesInsufficientBiometric should be one factor among two, combine with card / mobile / PIN for true two-factor in sensitive zonesUse multi-factor for high-security
Manual paper visitor book at receptionOutgrownNo audit trail, no deny-list, no NDA capture, no Emirates ID scan, no integration with accessReplace with modern visitor management
'We'll integrate access with HR later'Common deferral that turns into neverWithout HR integration, leavers retain access for weeks; manual de-provisioning is unreliableIntegrate at deployment, not phase-2

Three patterns we frequently rescue UAE customers from

  • 1. "We're still on 125 kHz prox because everyone has cards", replacing prox cards across an estate sounds expensive but is materially cheaper than the security incident waiting to happen. Plan a 12-18 month migration to MIFARE DESFire EV3 + mobile.
  • 2. "The contractor said it's Civil Defence compliant", but the egress hardware doesn't release on fire alarm, or the magnetic locks fail-secure instead of fail-safe. Always commission with the Civil Defence / fire integration test as a pass/fail gate.
  • 3. "We have access control but leavers still have working cards", without HR / IDM integration, JML is a manual process that fails. Always integrate access platform with HR or IDM at deployment, not as a phase-2 nice-to-have.

Budget Guidance · UAE 2026/2027

Indicative pricing across 21 common configurations

* Prices are only indicative and will vary based on door count, controller architecture, lock hardware, credential mix, software platform, vendor positioning and quarter-end. Always validate via formal quote.

ConfigurationIndicative rangeNotes
Premium reader (HID Signo MIFARE DESFire + mobile)AED 1,400 - 2,800 / readerHardware only
Mid-tier reader (Suprema XPass / generic DESFire)AED 700 - 1,400 / readerHardware only
ZKTeco DESFire reader (commercial-grade)AED 250 - 700 / readerHardware only
Suprema BioStation 3 (face + card multimodal)AED 3,500 - 7,500 / unitPremium biometric reader
ZKTeco fingerprint + face comboAED 1,400 - 3,500 / unitMass-market biometric
Idemia MorphoWave / VisionPassAED 14,000 - 35,000 / unitPremium biometric
Mercury LP1502 / 2500 controller (2-door)AED 3,500 - 7,500 / controllerPlus PSU, enclosure
Mercury LP4502 (16-door)AED 11,000 - 22,000 / controllerPlus PSU, enclosure
Magnetic lock (600 lb / 1200 lb)AED 700 - 2,200 / unitPlus mounting, breakglass
Electric strikeAED 700 - 2,500 / unitDoor-frame compatible
Lenel NetBox (5-door starter package)From AED 22,000Server license + 5 doors
Lenel OnGuard enterprise licenseFrom AED 100,000+Quote-only; varies with door count and modules
Avigilon Alta cloud (per door, monthly)~AED 110 - 220 / door / monthSubscription
Verkada Access controller (per door)AED 3,500 - 11,000 / doorPlus subscription
HID Mobile Access credential (per user, annual)AED 30 - 65 / user / yearAdd to existing HID-compatible platform
MIFARE DESFire EV3 cardAED 15 - 35 / cardPer credential
Salto smart lock (XS4)AED 2,200 - 5,500 / lockPlus KS subscription
Speed gate / waist-high tripod turnstileAED 22,000 - 75,000 / lanePlus integration
Visitor management subscription (Envoy / iLobby / Proxyclick)~AED 9,500 - 38,000 / year per locationTier-dependent
Site survey & design (mid-size, ~50 doors)AED 22,000 - 65,000Includes BoM, Civil Defence egress design, integration scope
Installation labour (per door, mainstream commercial)AED 1,500 - 4,500 / doorDoor hardware + cabling + commissioning

Artiflex Service Packages · Access Control

Productized access control deployments

Each is a complete project, design, regulator alignment, materials, installation, commissioning, training, integration and ongoing AMC.

* Package prices are indicative and may vary depending on door count, controller architecture, credential mix, integration scope and any custom requirements.

SMB Access Starter

SMB single-site, ~10-25 doors

Site survey, MIFARE DESFire reader + cards, mid-tier panel + software, Civil Defence-compliant egress hardware, basic visitor management, 1-day KT

SLA

9×5 with 4-hr critical

AMC

AED 3,500 - 7,500/mo

AED 50,000 - 180,000

Mid-Market Commercial Access

Mid-market commercial / hospitality / education / SMB-bank, 30-100 doors

Full design, HID Signo readers, Mercury controllers, Lenel NetBox or Avigilon Alta cloud, MIFARE DESFire + HID Mobile Access, Civil Defence-compliant egress, HR / AD integration, visitor management (Envoy / Proxyclick), CCTV integration, 3-day KT, 30-day hypercare

SLA

24×7 with 4-hr onsite

AMC

AED 11,000 - 28,000/mo

AED 250,000 - 900,000

Premium Enterprise Access

Banks, government, premium enterprise, 100+ doors multi-site

Full design, HID readers + Mercury controllers, Lenel S2 OnGuard or Genetec Synergis, HID Mobile Access + DESFire EV3 + Suprema biometric for sensitive zones, full Civil Defence + fire integration, HR / IDM / AD integration, unified VMS + intrusion + fire integration, Idemia for government-grade biometric, 5-day KT, 90-day hypercare

SLA

24×7 with 4-hr onsite + named TAM

AMC

AED 22,000 - 75,000/mo

From AED 1,500,000

Cloud-Managed Multi-Site (Avigilon Alta / Verkada Access)

Distributed offices / retail / co-working, 5-30 sites

Cloud platform subscription, mobile credentials, wireless / wired controllers per site, basic visitor management, central admin, 3-day KT

SLA

24×7 with 4-hr critical

AMC

AED 9,500 - 22,000/mo

From AED 280,000 (10 sites) + subscription

Hospitality Lock Estate

Hotel chains

Salto / dormakaba wireless smart locks across guest rooms, mobile guest keys, PMS integration (Opera / IDS / SUN), staff access integrated, 3-day KT

SLA

24×7 with 4-hr response

AMC

AED 11,000 - 28,000/mo

From AED 350,000 (per property, ~150 rooms)

Time-and-Attendance + Access (Biometric)

Customers wanting unified T&A and access

Suprema or ZKTeco (per requirement), BioStar / ZKBio platform, payroll integration (HR), 2-day KT

SLA

9×5 with 4-hr critical

AMC

AED 3,500 - 11,000/mo

From AED 80,000

Credential Migration (legacy to modern)

Customers with 125 kHz prox or MIFARE Classic wanting to migrate to DESFire / mobile

Reader audit, multi-tech reader replacement, parallel-credential rollout (old + new during transition), card / mobile-credential issuance, training, deprecation plan

SLA

Project-based

AMC

AED 5,500 - 14,000/mo

From AED 150,000

Civil Defence Egress & Compliance Audit

Existing premises with egress / fire-integration findings

Full audit, gap analysis, remediation plan (mag-lock fail-safe verification, RTE installation, breakglass, fire-alarm interlock), regulator paperwork

SLA

Project-based

AMC

N/A (project)

From AED 65,000 (audit) + remediation

What's included in every Artiflex access control package

  • Site survey & design, door schedule, lock hardware specification, cabling, controller architecture, integration scope
  • Civil Defence egress design, RTE, breakglass, fail-safe specification, fire-alarm interlock
  • Regulator paperwork, SIRA / Civil Defence approvals where applicable
  • Implementation by certified engineers, HID Advantage Plus, Lenel Certified, Honeywell HCA, Genetec certified, Suprema certifications
  • Cabling & lock hardware, fire-rated where required
  • Integration setup, HR / AD / Azure AD / VMS / intrusion / fire
  • Cardholder enrolment, initial bulk enrolment, JML workflow
  • Documentation pack, door schedule, IP / credential register, runbooks, fire-integration certification
  • End-user / SOC training
  • 30-day post-go-live hypercare; quarterly health review for AMC customers

UAE-Specific Considerations

Civil Defence egress, SIRA, biometric residency, NDAA, JML, Emirates ID

  • Civil Defence egress is mandatory, all egress doors must have free-egress hardware (push bar / breakglass / RTE) and magnetic locks must release on fire alarm. Get this wrong and the building doesn't get occupancy sign-off.
  • SIRA / ADP approval (where applicable): verify approval at SKU level and use SIRA-licensed installer. Approved-vendor lists are updated periodically.
  • Biometric data residency: templates are PII; UAE-region cloud or on-prem storage; encrypted at rest; documented retention and consent. Confirm at design.
  • Country-of-origin scrutiny: banks, multinational corporates with global procurement policies and NDAA-compliance-required customers should evaluate ZKTeco / Anviz against their procurement policy. UAE itself does not formally restrict, but specific buyer policies may.
  • Emirates ID integration is permitted for specific licensed use cases (some government, airport, port, banking), not for general commercial access.
  • Face recognition for general commercial deployment is regulator-restricted, limit to authorised use cases or paired with another credential.
  • HR / IDM / AD integration is foundational, integrate at deployment to avoid joiners-movers-leavers chaos.
  • OSDP v2 reader-to-controller for any new install; never specify Wiegand for new builds.
  • Lead times: stock-SKU readers and controllers 2-6 weeks; specialist biometric (Idemia, MorphoWave) and high-volume turnstiles 6-14 weeks.
Civil Defence DCD / ADCD / SCDSIRAADP / MCCICP Emirates IDCBUAEDHA / SEHA / ADHARTANESATDRANDAA-compliantOSDP v2SCIM HR / IDMCivil Defence-licensed installer

Ready for a vendor-neutral access control design?

Send us your door schedule, sites, cardholder count, integration scope (HR / AD / VMS / intrusion / fire) and Civil Defence + regulator scope, we'll come back with a sized solution including BoM, vendor recommendation across two or three options, and full Civil Defence egress alignment.

FAQ

Access control questions UAE buyers ask

The questions we hear most often from UAE businesses planning new access estates, comparing vendors, or rescuing non-compliant deployments.

Mobile-first with card fallback is the right answer for new corporate deployments in 2026/2027. Mobile credentials (HID Mobile Access, Avigilon Alta Mobile, Verkada Access mobile, Apple Wallet for Access) give better UX (no card to lose / forget), instant issuance and revocation, native two-factor with the phone's own biometric, and a clean audit trail of issuance. Keep MIFARE DESFire EV3 cards as the fallback for non-smartphone users, contractor / visitor short-term issuance, and as the backup credential when phone batteries die. The combination is materially better than card-only and avoids the operational tax of card-printing operations. Don't go mobile-only for at least the first 2-3 years, fallback cards prevent lockouts and support staff who don't want a work app on their personal phone.

On-prem (Lenel S2 OnGuard / NetBox, Honeywell Pro-Watch, Genetec Synergis, Gallagher Command Centre) for banks, government, large hospitals, multi-site enterprise with deep CCTV / intrusion / fire integration needs, and any premises with strict data residency or audit requirements. Cloud-managed (Avigilon Alta, Verkada Access, Brivo, Genea, Kisi) for modern offices, distributed multi-site customers, mid-market enterprises wanting mobile-first UX, and any customer for whom on-prem operational discipline is a stretch. Cloud-managed also wins for retrofit scenarios where running new wired controllers is expensive, particularly with Salto KS or Aperio wireless extensions. Hybrid (on-prem controllers + cloud-managed UI like Genea on Mercury) is increasingly attractive for customers wanting on-prem reliability with cloud admin convenience.

Yes for general UAE commercial, hospitality, retail, SMB and time-and-attendance customers, ZKTeco appears on regulator approved lists for specific models, has the broadest UAE channel and most aggressive pricing, and is the de-facto choice for cost-led time-and-attendance deployments. The same caveats apply as Hikvision / Dahua: at the model level, the SKU you're specifying must be on the current SIRA / Civil Defence approved list (not just the brand); and banks, multinational corporates with global procurement policies, NDAA-compliance-required customers, and certain regulated sectors should evaluate against their procurement policy. Cybersecurity firmware maturity is materially behind premium Western tier (HID, Suprema, Idemia), patch cadence and supply-chain trust deserve scrutiny in regulated verticals. For unrestricted commercial buyers, ZKTeco remains cost-effective; for restricted buyers, default to Suprema, HID Lumidigm, Idemia or Anviz.

MIFARE DESFire EV3 cards as the foundation, plus mobile credentials (HID Mobile Access or the cloud platform's native mobile credential) layered on top. Avoid 125 kHz proximity (trivially cloneable), MIFARE Classic 1K/4K (Crypto-1 broken since 2008), and legacy iCLASS standard (older keysets vulnerable). Specify multi-tech readers that can read DESFire + mobile + (optionally) biometric, that gives you a smooth migration path as mobile adoption grows. For high-security zones (server rooms, vaults, narcotics cabinets), add a second factor, card + biometric or mobile + PIN. For visitors, QR code or one-time PIN issued through your visitor management platform. Don't specify Emirates ID for general commercial access, it's permitted only for specific licensed integrations (government, airport, port, banking).

OSDP v2 for any new install, Wiegand only for legacy compatibility with controllers you're not replacing. OSDP (Open Supervised Device Protocol) v2 is bidirectional, encrypted (AES-128), supervised (detects tampering and cable cuts), and supports modern features like over-the-wire reader configuration and biometric template transfer. Wiegand is unencrypted, one-way, and has been demonstrated cloneable for years (the 'ESPKey' attack lets an attacker capture and replay credentials with sub-AED 200 of hardware). All major access vendors support OSDP v2; the only reason to use Wiegand on a new install is integration with a legacy controller, and that's a sign the controller needs replacing too. Cabling difference is minimal (Wiegand uses 5-7 conductors, OSDP uses 4 conductors over twisted-pair), so the upgrade is cheap during cable design.

Every egress door must allow free egress without presenting a credential, magnetic locks must release on power loss or fire alarm (fail-safe), strike locks may be fail-secure or fail-safe depending on door function, and egress hardware (push bar, breakglass, request-to-exit) must be installed on the egress route. Push bars / panic hardware are mandatory on most occupant-load egress doors. Breakglass emergency releases are required adjacent to magnetic-lock egress doors (once broken, must be replaced). Fire alarm interlock is hard-required, magnetic locks on egress paths must release on fire alarm activation, hard-wired with fire-rated cabling and certified during commissioning. Get any of this wrong and the building doesn't get Civil Defence sign-off, no occupancy permit, no business operating from the premises. Always engage a Civil Defence-certified installer and treat fire-integration as a pass/fail commissioning gate, not a phase-2 task.

Yes, at deployment, not as a phase-2 nice-to-have. Without HR integration, joiners-movers-leavers (JML) is a manual process that fails: leavers retain working credentials for weeks (sometimes months), role changes don't propagate to access permissions, and audit trails don't tie back to HR records. Modern enterprise platforms (Lenel S2, Honeywell Pro-Watch, Genetec, Avigilon Alta, Verkada) all support SCIM or API integration with SAP SuccessFactors, Workday, Oracle HCM, Microsoft Dynamics, BambooHR and others, or via an IDM broker (Okta, Microsoft Entra). Once configured, terminations in HR automatically deactivate credentials within minutes, role changes update access permissions, and audit trails reconcile with HR. Skipping HR integration at deployment to 'do it later' almost always becomes 'do it never', and the security and compliance risk compounds for years.

Probably not, unless you have an explicit licensed use case and have done legal review. Face recognition for general commercial deployment is regulator-restricted in UAE (similar to CCTV facial recognition), typically permitted for time-and-attendance with explicit consent, premises with specific licensed use cases, or paired with another credential as a verification factor (not as the sole identifier). What customers usually actually want is touchless access, which is well-served by mobile credentials (NFC tap with phone) and card readers with auto-presence detection, both of which avoid the regulator scrutiny. For sensitive-zone access, multi-factor (card + biometric or mobile + PIN) is generally a better answer than face-as-sole-credential. If you do specify face recognition for time-and-attendance, ensure: explicit staff consent and opt-out path, template-only storage (never raw images), in-country data residency, encryption at rest, and clear retention/deletion policies. Always involve legal review before specifying.

Plan an 8-12 year refresh cycle for controllers, 5-8 years for readers, and 3-5 years for credentials in active use (cards wear; mobile credentials are software so they're refreshed via OS updates). Controllers have long support lifecycles, Mercury Security LP-class controllers from 2015 are still supported by all major platforms, but modern controllers (LP4502, LP1502, EVO Series) support OSDP v2, encrypted communications, and modern integration features that older units don't. Readers should refresh whenever the credential strategy changes (e.g., adding mobile credentials means multi-tech readers), or when 125 kHz prox / MIFARE Classic / Wiegand-only readers need replacement for security reasons. Software platforms typically maintain backward compatibility for 5-7 years on major versions; budget the per-door / per-cardholder Care or maintenance subscription as opex, not as periodic forklift replacement. The bigger cycle to plan for is the 'credential migration' cycle, every 7-10 years you'll move to a new credential family, and that's the right moment to refresh the readers and possibly the controllers.

Civil Defence-compliant egress. OSDP v2. MIFARE DESFire EV3 + mobile. HR-integrated JML.

Vendor-neutral access control design across HID, Lenel S2, Honeywell, Gallagher, Genetec, AMAG, Bosch, Avigilon Alta, Verkada, Brivo, Genea, Kisi, Salto, dormakaba, Suprema, ZKTeco, Idemia. Civil Defence egress, SIRA-licensed installation, biometric data residency, sector-regulator alignment, HR / AD / Azure AD / Okta integration.